• Google Account Password Reset Vulnerability using Mobile Sec Token [ClickJacking]

    #Title: Google Account Password Reset Vulnerability using Mobile Sec Token [ClickJacking]
    #Author: Sandeep Kamble
    #Business Risk : High Risk
    #Attack Type: Click jacking
    #Tested Browser: Firefox 3.6
    #OS: Win 7 / Linux
    #Reported Date: OCT 21 , 2011


    I recently reported click jacking vulnerability to Google, involving Google Account Recovery Options Prompt Page where users save mobile number.
    Normally if user Losing access can mean not being able to send mail to friends, not being able to access photos or documents you've created online, and not being able to access any of the information stored on your Google Account. Google provided one unique option to submit mobile number into Google account. In that user recover password by verifying Mobile Sec Token.
    Google says “A mobile phone is one of the easiest and quickest ways to help protect your account. It's more secure than your recovery email address or your security question because you usually have your phone with you.” Oh yeah fast way to get hacked also

    How did it work?

    Google provided mobile number update page, where users can update their mobile number. I noticed on this Google Mobile update page there was missing X-Frame-Options. This is smell of Clickjacking vulnerability.

    Vulnerable URL:  https://accounts.google.com/b/0/AccountRecoveryOptionsPrompt?continue=https%3A%2F%2Faccounts.google.com%2Fb%2F0%2FEditPasswd&sarp=1&level=WITHOUT_PHONE

    In short Clickjacking vulnerabilities involves attacker to craft one webpage to initiate request to a web site (Google). This will interact with UI elements on that site and victim will think, he is interacting with another site which is of attacker.

    Proof Of concept

    Example of ClickJacking Crafted Site (Iframe Opacity 0):
    http://dl.dropbox.com/u/18007092/google/img2.png [/img]

    Iframe Opacity visible (Here you will get Clear picture):

    When victim will drag the Old crap computer into the trash, he is actually dragging attacker number into the Google Account page. When victim click on the Save or Go button, he is actually click on “Add Phone “on Google Page. After successfully execution the above step, then automatically attacker mobile number is added into the Google Account.
    Now attacker turns, to change the password of victim attacker will use Google Password Recover service where attacker needs to choose the Mobile Option to recover the password.

    The following is the attacker screen.
    URL: https://www.google.com/accounts/recovery/recoveryoptions

    When attacker click Continue, Attacker will receive the verification code is a 6-digit number on his mobile number.
    Which is needed to be while reset the password.

    After successfully submission of the password, finally you will see a heaven window which will allow attacker to change the password!


    W00t Finally attacker has changed the password using Click jacking vulnerability in Google Account.

    Reference: https://www.owasp.org/index.php/Clickjacking

    Orignal POC Link :

    More Description in Video :
    http://f9pix.com/Google hy5xoe/Google.flv

    Special Thanks To Amol Naik And G4h Team

    Thanks for Google Security Team to Patch vulnerability in very fast manner

    Sign Out !
    This article was originally published in forum thread: Google Account Password Reset Vulnerability using Mobile Sec Token [ClickJacking] started by [s] View original post
    Comments 1 Comment
    1. drgfly's Avatar
      drgfly -
      Amazing find!! super impressive
  • G4H Facebook

  • G4H Twitter